Leicester City Council has become the latest organisation to tell to the Information Commissioner’s Office (ICO) that it has lost a USB stick containing sensitive personal data.
The drive appears to have contained not only the personal records of 4,000 elderly and vulnerable people in the city but, worse still, the codes to 2,000 small safe boxes on the outside of social housing used to store building keys.
In the light of the immediate security risk, the council is now in the process of changing the codes to counter the possibility that these might fall into the wrong hands.
Exactly what has happened to the drive remains a mystery. The drive reportedly never left the council offices and staff are said to be still hunting for it. Normally used as a backup drive and stored in a safe after use each night, the drive was last seen on Friday 4 March and reported as missing the following Tuesday.
A key issue will be whether the data on the drive was encrypted. A statement by a council spokesperson implied that it had been but this has yet to be confirmed.
"While we have been assured by our supplier the information on the device is not accessible to anyone who may find it, we are taking every precaution to maintain the security of our LeicesterCare user,” the Council said in a statement.
The Council has some history when it comes to USB sticks, having in 2008 lost a USB stick containing data on 80 children attending a nursery.
Further afield, lost USB sticks are now a tiresomely repeating security theme, including last month’s ICO reprimand for Cambridgeshire County Council for losing one containing data on vulnerable adults.
In both the Leicester and Cambridge cases, however, there are notable twists worth paying attention to. In Leicester the drive was only used to backup data before being stored in a safe – this was not dropped carelessly in a car park by a staff member. Superficially, the drive was being fully managed as part of a data policy. Meanwhile, Cambridge’s breach happened after an employee used a non-encrypted drive because the encrypted one suffered an unspecified problem.
Both examples underscore that even with encryption, the small physical size and undemanding nature of USB sticks makes them easy to lose or take for granted. However well secured they appear, complex chains of events can make them physically insecure.